diff --git a/.env.sample b/.env.sample
index 95eccd9..10b50a6 100644
--- a/.env.sample
+++ b/.env.sample
@@ -6,9 +6,13 @@ DOMAIN=n8n.example.com
 #EXTRA_DOMAINS=', `www.n8n.example.com`'
 LETS_ENCRYPT_ENV=production
 
-N8N_BASIC_AUTH_USER=test
-N8N_BASIC_AUTH_PASSWORD=test
+# Only required if you're not using SSO
+N8N_BASIC_AUTH_USER=username
 
-SECRET_DB_NON_ROOT_PASSWORD_VERSION=v1
 SECRET_DB_PASSWORD_VERSION=v1
 SECRET_ADMIN_PASSWORD_VERSION=v1
+
+COMPOSE_FILE="compose.yml"
+
+# SSO using traefik-forward-auth
+#COMPOSE_FILE="$COMPOSE_FILE:compose.sso.yml"
diff --git a/compose.sso.yml b/compose.sso.yml
new file mode 100644
index 0000000..a9e4490
--- /dev/null
+++ b/compose.sso.yml
@@ -0,0 +1,16 @@
+---
+
+version: '3.8'
+
+services:
+  app:
+    image: n8nio/n8n
+    environment:
+      - N8N_BASIC_AUTH_ACTIVE=false
+    deploy:
+      labels:
+        - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=5678"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=keycloak@file"
+        - "traefik.http.routers.${STACK_NAME}_public.rule=(Host(`${DOMAIN}`) && PathPrefix(`/webhook`))"
+        - "traefik.http.routers.${STACK_NAME}_public.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}_public.entrypoints=web-secure"
diff --git a/compose.yml b/compose.yml
index 9cb531d..660b173 100644
--- a/compose.yml
+++ b/compose.yml
@@ -14,9 +14,9 @@ services:
       - DB_POSTGRESDB_PASSWORD_FILE=/run/secrets/db_password
       - N8N_BASIC_AUTH_ACTIVE=true
       - N8N_BASIC_AUTH_USER
-      - N8N_BASIC_AUTH_PASSWORD
       - N8N_BASIC_AUTH_PASSWORD_FILE=/run/secrets/admin_password
-      - WEBHOOK_URL=https:/${DOMAIN}
+      - WEBHOOK_URL=https://${DOMAIN}
+      - NODE_FUNCTION_ALLOW_EXTERNAL=moment
     depends_on:
       - db
     networks:
@@ -50,7 +50,6 @@ services:
       - POSTGRES_USER=root
       - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
       - POSTGRES_DB=n8n
-      # - POSTGRES_NON_ROOT_USER
     secrets:
       - db_password
     healthcheck: